Sysmon Event ID 2

Source

2: A process changed a file creation time

This is an event from Sysmon.

On this page

Description of this event
Field level details
Examples

The change file creation time event is registered when a file creation time is explicitly modified by a process. This event helps tracking the real creation time of a file. Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system. Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.

Free Security Log Resources by Randy

Description Fields in 2

Log Name
Source
Logged
Event ID
Task Category
Level
Keywords
User
Computer
OpCode
Description
RuleName
UtcTime
ProcessGuid
ProcessId
Image
TargetFilename
CreationUtcTime
PreviousCreationUtcTime
User

Supercharger Free Edition

Centrally manage WEC subscriptions.

Free.

Examples of 2

File creation time changed:
UtcTime: 2017-07-30 23:26:47.321
ProcessGuid: {a23eae89-ef48-5978-0000-00104832b112}
ProcessId: 25968
Image: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
TargetFilename: C:\Users\rsmith.LAB\AppData\Local\Google\Chrome\User Data\Default\c61f44ce-5bb0-4efe-acc1-246fa8a3df1d.tmp
CreationUtcTime: 2016-11-25 18:21:47.692
PreviousCreationUtcTime: 2017-07-30 23:26:47.317
User: LAB\Administrator

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
    <EventID>2</EventID>
    <Version>5</Version>
    <Level>4</Level>
    <Task>2</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2017-07-30T23:26:47.322369100Z" />
    <EventRecordID>5256170</EventRecordID>
    <Correlation />
    <Execution ProcessID="4740" ThreadID="5948" />
    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
    <Computer>rfsH.lab.local</Computer>
    <Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="RuleName">-</Data>
    <Data Name="UtcTime">2017-07-30 23:26:47.321</Data>
    <Data Name="ProcessGuid">{A23EAE89-EF48-5978-0000-00104832B112}</Data>
    <Data Name="ProcessId">25968</Data>
    <Data Name="Image">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
    <Data Name="TargetFilename">C:\Users\rsmith.LAB\AppData\Local\Google\Chrome\User Data\Default\c61f44ce-5bb0-4efe-acc1-246fa8a3df1d.tmp</Data>
    <Data Name="CreationUtcTime">2016-11-25 18:21:47.692</Data>
    <Data Name="PreviousCreationUtcTime">2017-07-30 23:26:47.317</Data>
<Data Name="User">LAB\Administrator</Data>
</EventData>
</Event>

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

Mini-Seminars Covering Event ID 2

Upcoming Webinars

Additional Resources

Encyclopedia

•	Event IDs
•	All Event IDs
•	Audit Policy

Go To Event ID:

Must be a 1-5 digit number No such event ID

Security Log
Quick Reference
Chart
Download now!

User name:
Password:
	/ Forgot?
	Register

December 2024 Patch Tuesday	"Patch Tuesday - 2 Zero Days...See You in 2025! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.